Fundamentals of the COSO Framework: Building Blocks for Integrated Internal Controls
The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, is a private sector initiative led by the American Institute of Certified Public Accountants (AICPA), Institute of Management Accountants (IMA), American Accounting Association (AAA), Institute of Internal Auditors (IIA), and Financial Executives International (FEI). COSO formed to investigate the fraud scandals of the 1970s and 1980s, releasing an internal controls framework in 1992.
This COSO Internal Control – Integrated Framework (ICIF) — also somewhat confusingly known simply as COSO or the COSO framework — provided guidance for how organizations can implement controls to prevent, detect, and manage fraud risk related to external financial reporting. This article will break down the five pillars and seventeen principles of the COSO framework as well as how implement and use it as a foundation for modern internal controls and fraud deterrence.
Overview of the COSO Framework
Although the original aim of COSO (the organization) was to investigate and address fraud in the 1970s and 1980s, the COSO framework (the framework) gained increased importance due to the fraud cases of the 1990s and 2000s (Enron, WorldCom, Sunbeam, Tyco) and the subsequent passing of the Sarbanes-Oxley Act (SOX). SOX requires public companies to implement and maintain effective internal controls across the organization related to financial statements. Companies subject to SOX regulations adopted COSO as one of the primary frameworks to satisfy these requirements. The COSO Internal Control – Integrated Framework (ICIF) , was revised and reissued in 2013 with updated guidance, and periodic updates are issued by the Committee. COSO also provides guidance for establishing an Enterprise Risk Management (ERM) program, which often times works hand in hand wtih a Company’s control environment.
In March of 2023, COSO released a study and guidance regarding internal controls over sustainability reporting (ICSR) by leveraging the COSO internal controls framework. As scrutiny increases around corporate sustainability, more regulations have come into play requiring reliable, trusted reporting around environmental, social, and governance (ESG) matters. COSO and other professional organizations are adapting, and this new guidance around ICSR to give companies a vetted avenue for reporting around sustainability. Though sustainability matters are considered “non-financial”, COSO has supported stakeholder demand to adapt COSO’s ICIF for ESG reporting.
The COSO “cube” visual below summarizes the pillars and components of the COSO framework. On the first face of the cube are five foundations of internal controls. On the top face of the cube are the control objectives categories — that is, the organization’s operational, compliance, and reporting objectives in relation to internal controls. On the last face of the cube are the levels at which controls need to be implemented, from the Entity level to the functional level.
What Are the Five Pillars of the COSO Framework?
The five pillars of the COSO framework, illustrated on the front face of the cube, support internal controls objectives around operations, reporting, and compliance by providing some guidance on how to implement effective controls. These pillars are further broken down into 17 principles.
Control Environment
The Control Environment of an organization refers to the overall cutlture of internal controls and is established from the top down.’ As demonstrated by Enron and other, more recent fraud cases, poor “tone at the top” can lead to fraudulent activity with devastating consequences. Establishing a Control Environment in accordance with the COSO frameworks involves demonstrating the following principles:
- 1. The company commits to integrity and ethical values. This entails unequivocal communication of ethical standards and the expectation that all employees adhere to these standards. It involves the implementation of a code of conduct, ethics training, and a whistleblower policy to foster the reporting of unethical behavior without fear of retaliation.
- 2. The Board of Directors maintains independence from management and oversees internal controls programs. An independent Board of Directors, particularly an audit committee, is crucial for providing oversight and ensuring management accountability. Regular meetings and comprehensive reports on the effectiveness of internal controls are essential to maintaining this oversight.
- 3. Management defines organizational structure, authority, reporting lines, and responsibilities to execute on the company’s operational, reporting, compliance, and business objectives. A clearly defined organizational structure ensures clarity in roles and responsibilities, which is vital for the efficient operation of internal controls.
- 4. The company prioritizes the recruitment, development, and retention of capable, competent individuals aligned to internal controls objectives. This principle underscores the importance of hiring individuals with the requisite skills and qualifications to perform their roles effectively. Ongoing training and professional development opportunities enable employees to stay current with best practices in internal controls and compliance.
- 5. The company establishes accountability for control responsibilities. Accountability is enforced by setting explicit expectations and performance metrics related to internal controls. Regular performance reviews, along with a system of rewards and consequences, ensure that employees comprehend the significance of adhering to internal controls.
Achieving these principles can be done through documentation of policies, mission and vision statements, strategic planning documents, meeting notes, and periodic evaluation of the company’s internal controls program, either through an internal audit or external compliance audit.
Risk Assessment
The next pillar of the COSO framework stipulates the need for periodic or ongoing risk assessments based on the organization’s internal controls system. These risk assessments can be performed by internal personnel, such as an internal audit team, or third parties, such as a consulting or CPA firm. COSO specifies four core principles for risk assessment and risk treatment, listed below:
- 6. The company establishes objectives with enough specificity to enable the identification and assessment of risks to the objectives. These objectives should encompass all areas of the organization, including strategic, operational, reporting, and compliance goals. Clear objectives serve as a reference point for identifying potential risks and determining their impact.
- 7. The company identifies risks that could potentially affect achieving their objectives and scrutinizes these identified risks to develop an action plan for risk treatment. techniques such as SWOT analysis (Strengths, Weaknesses, Opportunities, Threats), PESTLE analysis (Political, Economic, Social, Technological, Legal, Environmental), and brainstorming sessions can be employed to uncover risks.
- 8. When evaluating risks, fraud is explicitly considered as part of the assessment.
- 9. The organization anticipates and assesses any changes that may affect internal controls.
Risks should be logged in a risk register or risk inventory that describes the risk, the likelihood that the risk will be realized (Likelihood/Probability), the impact if the risk is realized (Impact), the plan for mitigating the risk, the timeline for mitigating the risk, and the person(s) responsible for that risk. Risk assessments should occur at least annually, and the risk register should be updated as risks are discovered or mitigated. Consideration of these risk assessments and risk registers should incorporated into the organization’s decision-making process, and align with the organization’s risk tolerance.
Control Activities
Once an organization has defined their objectives, established an ethical control environment, and performed or initiated a risk assessment, the COSO framework dives another level deeper. Control activities are those processes, activities, actions, and communications performed to mitigate risks and maintain strong internal controls. Three COSO principles fall into this pillar:
- 10. Control activities address and mitigate risks to the company’s objectives.
- 11. The company establishes control activities over technology in line with the company’s objectives.
- 12. Policies and procedures define the control activities that should be taking place at the company as part of the internal controls program.
There are three types of control activities. Preventive Controls which are designed to prevent errors or irregularities before they occur. Examples include authorization procedures, segregation of duties, and physical controls over assets. Detective Controls which are designed to identify errors or irregularities that have already occurred. Examples include reconciliations, audits, and performance reviews. Corrective Control which are designed to correct errors or irregularities after they have been detected. Examples include remedial action plans and follow-up procedures. Manage often leverages technology to enhance the effectiveness and efficiency of control activities. Automated controls, such as system-based authorizations and electronic reconciliations, can reduce the risk of human error and increase the reliability of controls. Data analytics and continuous monitoring tools can provide real-time insights into control performance and potential issues.
A more specific example of preventive control activity might require any code changes need to be: 1) reviewed by an appropriate individual, 2) an individual who is not the code developer, and 3) approved by that individual in the ticketing system. Another preventive control activity might be the termination of an employee account within 24 hours of their last day.
Information and Communication
This may seem obvious, but another crucial aspect of a successful compliance and internal controls program is appropriate, consistent, and timely information distribution and communications to relevant stakeholders. That’s a mouthful — breaking that down further, the COSO framework requires companies to communicate and share information based on these principles:
- 13. The company uses quality data and information to support control objectives. For data to be useful it must be relevant, timely, accurate, and accessible. High-quality data allows management and employees to make informed decisions and effectively manage risks. It encompasses both financial and non-financial data, ensuring comprehensive coverage of all areas critical to the organization’s objectives
- 14. The company communicates relevant information, objectives, assignments, accountability, and responsibilities for internal control activities. This includes upward, downward, and lateral communication.
- 15. When necessary, the company communicates with external entities regarding internal controls. including investors, regulators, customers, and supplies
More and more companies, especially B2B organizations, include clauses in their contracts that require the disclosure of data breaches, incidents, cyber attacks, and other internal controls matters to external entities. HIPAA directives require the reporting of data breaches to affected parties. A well-orchestrated communication plan can take much of the pain out of building out a COSO program.
Monitoring Activities
The fifth and final pillar of the COSO framework involves monitoring, measuring, and reporting on the company’s internal controls system and includes the following principles:
- 16. Regular or ongoing evaluations occur to determine if the internal controls program is operating effectively. This includes supervisory reviews, transaction reviews, and performance metrics to provide additional insight into the effectiveness of controls. Evaluations should also be a combination of internal and external assessments. The internal audit function may be used to evaluate internal controls and external auditors may conduct reviews as part of their annual financial statement audit.
- 17. Any internal control deficiencies are reported timely to the accountable parties, including the Board of Directors and upper management when necessary.
What Are the Steps to Implement and Use the COSO Framework?
To build and integrate an effective COSO program, an organization can follow these general steps. For more in-depth details on how to improve organizational performance and governance with COSO guidance, refer to this document from COSO.
Planning
In order to get the most out of the COSO framework, organizations need to do some legwork upfront. Organizations should understand why they are leveraging this framework, and how it fits into their overall strategic roadmap, while also having a clear understanding of the 17 principles of the framework itself. Since COSO applies to the whole organization, it is crucial to develop a meticulous and thorough plan for setting up and maintaining an internal controls system based on COSO. Investing in compliance management software to coordinate COSO control activities facilitates both planning and execution.
Evaluation and Documentation
Following planning, it is important to understand the maturity of the organization’s internal controls program and what documentation exists to support objectives and pillars. In this phase, the responsible team should collect the available documentation around the organization’s internal controls, and take into account whether there are common processes, formal Enterprise Risk Management (ERM), and/or appropriate control activities in place. If the documentation available is insufficient to support the organization’s objectives and the requirements of COSO, these should be tracked for remediation as gaps.
Remediation
As internal control assessments reveal gaps in an organization’s internal controls program, the parties responsible for those control activities or areas undertake remediation or risk mitigation activities. If an internal control gap is found, the responsible team(s) plan the remediation or risk mitigation steps, timeline, and responsibilities, then execute that plan.
Testing and Reporting
Once a company has completed the preceding steps and has comfort that the company is compliant with the COSO framework, testing and reporting occur. Testing involves evaluating the design and operating effectiveness of internal controls, as well as the control’s impact on related risks. A test of an Incident Management control might involve inspecting the log of incidents for a certain period and determining if the proper documentation was completed for a select subset of those incidents.
Management should receive regular reporting around the internal controls program and the results of testing.
What Are the Pros and Cons of the COSO Framework?
The COSO framework is a foundation of modern internal controls and fraud deterrence. This framework has been used to guide and help develop other existing compliance frameworks. The visualization of the COSO cube emphasizes the need for the integration of operational and control activities. There are plenty of resources available to organizations seeking to build a COSO program. And, perhaps most importantly, applying the COSO framework as an organization subject to SOX is a great way to meet internal control requirements.
However, the COSO framework’s greatest strength and limitation is its broadness. Designed to apply to a wide range of industries and companies, the COSO framework does not provide specific methods for implementing effective control activities, but rather provides overarching principles for how internal controls should be structured. Despite this broadness, COSO’s other limitation is its stringency. Smaller organizations may find themselves challenged when implementing COSO requirements because of coordination and, plainly, the extent of work that must be completed to establish a successful, COSO-based, effective system of internal controls. AuditBoard simplifies the path to a strong internal controls program by unifying risks, controls, policies, frameworks, issues, and stakeholder communications to meet the ever-increasing compliance needs of modern businesses.
FAQs about COSO Framework
Question #1: What is the COSO Framework?
- Answer: The COSO Framework is an internal controls framework aimed at preventing fraud.
Question #2: What are the five components of the COSO Framework?
- Answer: The five components of the COSO Framework are: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.
Question #3: What are the steps to implement and use the COSO framework?
- Answer: The steps to implement and use the COSO framework are: Planning, Evaluation and Documentation, Remediation, and Testing and Reporting.
Question #4: What are the pros and cons of the COSO framework?
- Answer: Pros of the COSO Framework include the framework’s broadness, which can be applied to many types of companies; the wide acceptance of the framework as a standard for internal controls; and the ability to use the COSO Framework to satisfy SOX requirements.
- Cons of the COSO Framework are that the framework is complex and difficult to implement without a dedicated team, and that the framework lacks specific implementation guidance for meeting the framework’s requirements.
Arden Leland, CPA, is a Manager of Solutions Advisory Services at AuditBoard. Prior to joining AuditBoard, she spent 7 years at PricewaterhouseCoopers managing external audits for both private and public companies, with a specific focus on working with companies in their early years of SOX compliance. Connect with Arden on LinkedIn.